Nethserver 7.3 as Domain AD - User deletion and group mail alias

activedirectory
mailserver
v7
mail

(Agustinus Mulyawan) #1

NethServer Version: 7.3.1611
Module: nethserver-samba 2.0.8 1.ns7

I just migrate to Nethserver 7 as Active Directory Domain
I just notice on create new group, it will be no email alias for the group. Need to create manually for mail alias and member of mail alias.
Below is messages log:

Jul 11 00:53:21 service esmith::event[144305]: Event: group-create qwerty user1
Jul 11 00:53:21 service esmith::event[144305]: Added group qwerty
Jul 11 00:53:22 service esmith::event[144305]: Added members to group qwerty
Jul 11 00:53:22 service esmith::event[144305]: Action: /etc/e-smith/events/group-create/S40nethserver-dc-group-create SUCCESS [1.133855]
Jul 11 00:53:22 service esmith::event[144305]: [NOTICE] clearing sssd cache for group qwerty@my.domain
Jul 11 00:53:22 service esmith::event[144305]: Action: /etc/e-smith/events/group-create/S90nethserver-sssd-clear-cache SUCCESS [0.273908]
Jul 11 00:53:22 service esmith::event[144305]: Event: group-create SUCCESS

On user deletion also have issue:

  1. On mail alias, the user still member of the mail alias.
  2. Email folder deleted but other folder of user still remain in:
    /var/lib/nethserver/home/
    /var/lib/nethserver/profile/
    /var/lib/nethserver/nextcloud/

(Agustinus Mulyawan) #2

I already tried on clean installation using virtual box and update the Nethserver.
Also have the same issue.

From Management Users and Groups > Groups, create new groups.
On Management Email Addresses > Mail Aliases, i cannot found the new group that just created.
Then add manually for Mail Aliases of the group.
From Management Users and Groups > Users, create new user and directly add to existing groups that already have Mail Aliases.
On Management Email Addresses > Mail Aliases, the new user is not yet part of group’s Mail aliases.
Then add manually for the new user to be part of group’s Mail aliases.
Delete the user from Management Users and Groups > Users, double check in group’s Mail aliases (previously add manually user to be part of group’s Mail aliases); the user email address still member of the group.
I never found this issue before on NethServer 6. Any advise really appreciated.


(Marc) #3

@enzoturri @asl @saitobenkei @rolf @giacomo @davidep, what do you think? Is this the expected behaviour, or could this be a new feature request?


(Davide Principi) #4

Well, we can see some inconsistencies among the packages listed above.

Surely, ns7 has a new concept/use case that ns6 does not have: the remote account provider. In this case the user-deleted and group-deleted events can’t be catched.

After some months of real world experience, I’d prefer ns7 behaves exactly like ns6 on the local account provider scenario. Thus when a user/group is deleted, also local data dirs are removed.

But on remote scenario nothing can be done.

Confirmed. Mail aliases must be created manually. For local accounts provider on a mail server, an UI enhancement during user/group creation could be adding a checkbox that enables mail alias and shared mailbox creation.


Send an email to all members of a group?
Sending an email to LDAP/AD group - Mail Alias is not a solution
(Vincenzo Turri) #5

In my opinion, creating a group should create a mail alias. Great idea of @davidep to add a checkbox.

Deleting a (local) user should propose the deletion of related data (mail, nextcloud …).


(Davide Principi) #6

Added project cards with NFR here


(Alessio Fattorini) #7

I totally support this, it would make the behavior more consistent.


(Stéphane de Labrusse) #8

Got it workable, do you want it only on group creation,…no update on group-modify, we could make a check box and update the group alias on event group-modify too


(Davide Principi) #9

What would happen when the checkbox is unchecked in group/edit panel?


(Stéphane de Labrusse) #10

pseudonym key is not created
event pseudonym-create & event sharedmailbox-create are not launched

The checkbox appears only in group creation and if dovecot is installed (mail2-server)


(Davide Principi) #11

I agree to go with the group creation use case at first. Further use cases can be designed at a later time.

The checkbox label could be

 Create also a shared mailbox and an email address named after the group

(Stéphane de Labrusse) #12

I see one cons with only the group-create event:

  • create a group and create group alias
  • remove the group
  • create it again
  • sharedmailbox-create will warn that the mailbox exists

IMHO, two ways

  • grep and test if the shared mail box exist before to trigger the event
  • implement a group-modify and a group-delete to expand more users as alias of a group and/or delete the shared mailbox and the users no more longer of that group.

what do you think ?

here a prototype based on user-event


(Stéphane de Labrusse) #13

Delete resources on {user,group}-delete events
Nethserver 7.3 as Domain AD - User deletion and group mail alias

what ressources to delete, can we make a list

vmails box
samba home ?
nextcloud ?

Does we just remove without warnings the user resources or we could make a checkbox list of resources to remove ?

- user deletion, what resources you want to remove
[ ] email box
[ ] samba home
[ ] Nextcloud file

(Giacomo Sanchietti) #14

I guess that applications which need to remove data, should simply register to the delete event.

Samba, Nextcloud and homes are ok as starting point.
Maybe we could also remove the user mailbox.


(Stéphane de Labrusse) #15

not seem trivial for nextcloud…this is the path

/var/lib/nethserver/nextcloud/B20B58F4-04A1-4923-8C42-2B50F9995863/files/Documents/file2
/var/lib/nethserver/nextcloud/C34FF8A0-F2BA-47F2-B3E6-5C71885C5491/files/Documents/file1

Need to find how to retrieve the username from the path


(Stéphane de Labrusse) #16

for samba, it is easy

/var/lib/nethserver/home/helene/


(Agustinus Mulyawan) #17

Hi,

I am not really know the coding… but it should be done using the nexctcloud API.


I can't delete a user on nethserver
(Davide Principi) #18

Yes, maybe the occ command can help to sort out the user’s folder /cc @alep


(Stéphane de Labrusse) #19

yep something like this should do the trick

https://docs.nextcloud.com/server/13/admin_manual/configuration_user/user_auth_ldap_cleanup.html#ldap-user-cleanup

sudo -u www-data php occ user:delete [user]
removes the user’s data from the Nextcloud data directory.

[root@ns7loc ~]# su - apache -s /bin/bash -c "source /opt/rh/rh-php71/enable; cd /usr/share/nextcloud/; php occ user:list"
  - 79E2CF60-8534-4053-BE9F-32647D325179: NethServer LDAP simple auth identity (ldapservice)
  - C34FF8A0-F2BA-47F2-B3E6-5C71885C5491: de labrusse (stephane)
  - F48A756D-0992-41B3-9C1C-FD316F62005F: NethServer Administrator (admin)
  - admin: admin


[root@ns7loc ~]# su - apache -s /bin/bash -c "source /opt/rh/rh-php71/enable; cd /usr/share/nextcloud/; php occ user:list" |grep '(stephane.delabrusse)'|awk '{print $2}'|sed 's/:$//'
5F7EBACF-58B5-49AA-B8F9-A48A9A7894E8

(Davide Principi) #20

As alternative approach, you could also query mysql

[root@here ~]# echo "select directory_uuid from oc_ldap_user_mapping where ldap_dn like 'cn=davidep,%';" | mysql nextcloud
directory_uuid
67C77753-DFC4-4A1C-80F5-9DA9BF54674B

the query depends on the accounts provider but can be generalized as

[root@here ~]# echo "select directory_uuid from oc_ldap_user_mapping where ldap_dn like 'cn=davidep,%' or ldap_dn like 'uid=davidep,%' ;" | mysql nextcloud
directory_uuid
67C77753-DFC4-4A1C-80F5-9DA9BF54674B

Both solutions are hacks: if the table schema or the command output change we have a problem…